New Klez Variant Infection

We have become aware that a growing number of campus network connected computers have been infected with the W32.Klez.H@mm computer virus. This virus is spread by email and can also infect files within shared directories. According to initial reports, this worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The subject line, attachment file name and message body of the infected email message contains random character strings. The virus is also capable of disabling some anti-virus programs and can execute the W32.Elkern.4926 virus. Some anti-virus vendors have released new virus definitions for this infection within the last two days. Please ensure the anti-virus programs on your computers have been recently updated. The Symantec (Norton Anti-virus) virus definition update for this virus is dated 4/17/2002 and the McAfee DAT file for this virus should be at the 4182 level or higher. Further information about the virus and removal instructions for Klez infected computers can be found at:

* http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html

* http://vil.mcafee.com/dispVirus.asp?virus_k=99367

Information about the original campus reports of Klez infections can be found at http://security.ucdavis.edu/alerts/041002.html

Robert A. Ono, CISSP Information Technology Security Coordinator Information and Educational Technology University of California, Davis (530) 754-6484 Desk